## An Efficient Strong Designated Verifier Signature Scheme (2003)

Venue: | Proc. of ICISC 2003, Springer LNCS |

Citations: | 20 - 0 self |

### BibTeX

@INPROCEEDINGS{Saeednia03anefficient,

author = {Shahrokh Saeednia and Steve Kremer and Olivier Markowitch and Université Libre De Bruxelles},

title = {An Efficient Strong Designated Verifier Signature Scheme},

booktitle = {Proc. of ICISC 2003, Springer LNCS},

year = {2003},

pages = {40--54},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

This paper proposes a designated verifier signature scheme based on the Schnorr signature and the Zheng signcryption schemes. One of the advantages of the new scheme compared with all previously proposed schemes is that it achieves the "strong designated verifier" property without encrypting any part of the signatures. This is because the designated verifier's secret key is involved in the verification phase. Another advantage of the proposed scheme is the low communication and computational cost. Generating a signature requires only one modular exponentiation, while this amount is two for the verification. Also, a signature in our scheme is more than four times shorter than those of known designated verifier schemes.

### Citations

1785 | How to share a secret
- Shamir
- 1979
(Show Context)
Citation Context ...er proof of undeniable signatures (see section 3 for a description and the appendix for our cryptanalysis of this scheme). More recently, in 2001, Rivest, Shamir and Tauman introduced ring signatures =-=[11]-=-, allowing to generate a signature linked to a group of potential signers. A special case of these signatures (by setting the size of the group to two) provides designated verifier signatures (see sec... |

1348 | Random oracles are practical: a paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...s. They argued that in order to prove such schemes secure, it is essential to consider theshash function in use as a random function and showed how to prove the security using the Random Oracle Model =-=[2]-=- and a new lemma, called the Forking Lemma. We assume that the reader is familiar with the random oracle model and the forking lemma. We just note that the security proofs in this model are based on t... |

587 |
Efficient signature generation by smart cards
- Schnorr
- 1991
(Show Context)
Citation Context ...lled strong designated verifier, was briefly discussed in [8]. In this paper, we introduce a new efficient designated verifier signature scheme that is based on a combination of the Schnorr signature =-=[12]-=- and the Zheng signcryption schemes [13]. It requires only 1 modular exponentiation to generate and 2 modular exponentiations to verify a signature, i.e. no additional exponentiations are needed to co... |

495 |
Group signatures
- Chaum, Heyst
- 1991
(Show Context)
Citation Context ...e than four times shorter than those of known designated verifier schemes. Key words: Signature, Designated verifier, Signcryption, Discrete logarithm. 1 Introduction In 1989, Chaum and van Antwerpen =-=[4]-=- introduced the notion of undeniable signatures with the goal of enabling signers to have complete control over their signatures. That is, the verification of such signatures requires the participatio... |

284 | Security arguments for digital signatures and blind signatures
- Pointcheval, Sterrn
- 2000
(Show Context)
Citation Context ... to Bob to prove the knowledge of xb as the discrete logarithm of yb in one hand and of c on the other hand with respect to g and (g s y r a )t mod p as the bases, respectively. 5 Security In [9] and =-=[10]-=-, Pointcheval and Stern discussed the security of a large class of signature schemes, namely those that are derived from zero-knowledge identification protocols by replacing the verifier’s role with s... |

210 | Security proofs for signature schemes
- Pointcheval, Stern
(Show Context)
Citation Context ...and asks to Bob to prove the knowledge of xb as the discrete logarithm of yb in one hand and of c on the other hand with respect to g and (g s y r a )t mod p as the bases, respectively. 5 Security In =-=[9]-=- and [10], Pointcheval and Stern discussed the security of a large class of signature schemes, namely those that are derived from zero-knowledge identification protocols by replacing the verifier’s ro... |

138 | signcryption or how to achieve cost (signature &encryption) << cost (signature) + cost (encryption), (Extended abstract
- Zheng
(Show Context)
Citation Context ...efly discussed in [8]. In this paper, we introduce a new efficient designated verifier signature scheme that is based on a combination of the Schnorr signature [12] and the Zheng signcryption schemes =-=[13]-=-. It requires only 1 modular exponentiation to generate and 2 modular exponentiations to verify a signature, i.e. no additional exponentiations are needed to convert the original Schnorr or Zheng sche... |

51 | 1-out-of-n signatures from a variety of keys
- Abe, Ohkubo, et al.
- 2002
(Show Context)
Citation Context ...y Rivest, Shamir and Tauman (RST, for short) that provides the designated verifier property 3 . Another scheme that may be turned into a designated verifier signature is due to Abe, Ohkubo and Suzuki =-=[1]-=- and is known as 1-out-of-n signature. Because of lack of space, we do not describe this scheme. We just notice that it is essentially some kind of ring signatures that may make use of different type ... |

42 |
Special Uses and Abuses of the Fiat-Shamir Passport Protocol
- Desmedt, Goutier, et al.
- 1988
(Show Context)
Citation Context ...n order to avoid undesirable verifiers getting convinced of the validity of the signatures. However, these signatures do not always achieve their goal, because of blackmailing [6,7] and mafia attacks =-=[5]-=-. The problem is due to the fact that the signer does not know to whom s/he is proving the validity of a signature. This weakness of undeniable signatures motivated the parallel introduction of design... |

21 | Blackmailing using Undeniable Signature
- Jakobsson
- 1994
(Show Context)
Citation Context ...interactive protocol), in order to avoid undesirable verifiers getting convinced of the validity of the signatures. However, these signatures do not always achieve their goal, because of blackmailing =-=[6, 7]-=- and mafia attacks [5]. The problem is due to the fact that the signer does not know to whom s/he is proving the validity of a signature. This weakness of undeniable signatures motivated the parallel ... |

7 |
Designated Verifier Proofs and Their
- Jakobsson, Sako, et al.
(Show Context)
Citation Context ...ow to whom s/he is proving the validity of a signature. This weakness of undeniable signatures motivated the parallel introduction of designated verifier signatures by Jakobsson, Sako and Impagliazzo =-=[8]-=-, as well as private signatures by Chaum [3]. Both of these signatures are based on the same idea and are nearly identical. In the rest of this paper, we only focus on the Jakobsson et al. scheme as i... |

5 |
D.(1996).Private signature and proof systems. United States Patent 5,493,614
- Chaum
(Show Context)
Citation Context ... signature. This weakness of undeniable signatures motivated the parallel introduction of designated verifier signatures by Jakobsson, Sako and Impagliazzo [8], as well as private signatures by Chaum =-=[3]-=-. Both of these signatures are based on the same idea and are nearly identical. In the rest of this paper, we only focus on the Jakobsson et al. scheme as it resulted in an academic publication. Desig... |

3 |
Yung: Weakness of Undeniable Signature Schemes (Extended Abstract). EUROCRYPT
- Desmedt, M
- 1991
(Show Context)
Citation Context ...interactive protocol), in order to avoid undesirable verifiers getting convinced of the validity of the signatures. However, these signatures do not always achieve their goal, because of blackmailing =-=[6, 7]-=- and mafia attacks [5]. The problem is due to the fact that the signer does not know to whom s/he is proving the validity of a signature. This weakness of undeniable signatures motivated the parallel ... |